sábado, 2 de abril de 2011

SCOM Agents using certificates

Many times you'll need SCOM agents to communicate to the RMS using certificates. This process, although considerably simple after doing it a few times, is very frequently not well documented. When I needed to do it, I had to check on a lot of different sources and bits and pieces. My intention here is to document the whole process.

A few assumptions: you have a functional SCOM server, a certificate authority on the same domain (in this example, an enterprise one) and a server on a another domain or workgroup.

Step-by-step, oh baby!
So, here it goes and don't be scared. After you repeat the steps a few times, you'll be very comfortable with it.

e. Select the appropriate version of Windows Server (pick 2003 if you still have any 2003 on your network)

f. Name the Certificate SCOM Template (or anything you want) and configure as follows:

Click CSPs…

Click on Application Policies and configure as below:

g. Open the Certification Authority Configuration, right click on Certificate Templates and select new->Certificate Template to issue:

h. Select the SCOM Template you’ve just created and click OK

i. Close the Certification Authority Console

2. Creating the certificates
For this part of the configuration, we’ll need to export the certificate for the Root CA itself, generate a certificate for the SCOM RMS and generate certificates for each server that will communicate with the RMS.

b.Click on Download a CA certificate, certificate chain, or CRL and Click on Download CA certificate Chain and save the file to a folder. The file will be called certnew.p7b by default. You can rename it. I’m using rootca.p7b.

c. Go back to the home page (http://dc1/certsrv) and Click on Request a certificate->advanced certificate request->Creante and submit a request to this CA

If you have issues opening this website (complains about the ActiveX not being loaded or HTTPS needs to be enabled), add the website to the trusted websites and configure the security level as custom for the trusted sites with the option below:

d. Select yes to the next prompt:

e. Select the SCOM Template you created on step 1 from the Dropdown list:

f. Set the name of the server:

g. And set the friendly name:

h. Make sure the Mark keys as exportable is selected:

i.Click yes on the next prompt:

j.Click on Install certificate
Don’t worry about where to install the certificate yet. It will be installed on you user account and under the personal folder. We’ll later export the certificate to be usable by the computer

k.Repeat steps c through j of the certificate generation process for the agent, in my case, dmz1 is the name of the server

l. After you generated all necessary certificates, let’s export them from your local store:

m. Open a mmc.exe and add the certificates snap-in for “My user account” and click Ok.

n. Expand the Certificates tree till you see the contents of the personal certificates:

If you can’t access it remotely, copy the files to a location accessible from the server to be managed.

e.Start scom installation by running the MSXML6.msi, OomADs (if the server is a DC) and then MomAgent.msi

f.Click Next

g.Select

h.Click Next and then Install

i.Click Finish when installation is finished

5.Importing certificates with momcertimport.exe

In this step, you’ll need a tool called momcertimport.exe. It can be found on SCOM installation DVD or image, under the SupportTools folder. There’s a 32 and a 64 bit version.

a.On the Scom server, run the momcerimpot.exe tool:

b.Select the appropriate certificate from the store and click OK

c.Restart the “System Center Management” service.

d.Repeat the steps on all servers to be managed.

6.Approving and checking agent status

a.On the SCOM console, under administration, check the Pending Agents:

b.Approve the agent

c.

A few points:

The steps performed on the RMS itself don’t need to be repeated for each agent. They will be done once only.

Eventually, the certificates will expire and the process will need to be repeated, so I advise you to change the duration of the certificates by following the instructions on this URL: http://support.microsoft.com/kb/254632